Cyber Incident Victim: Phoenix Programs of Florida, Inc.

On October 21, 2022, Phoenix Programs of Florida, Inc., a nonprofit drug and alcohol rehabilitation organization based in Brandon, Florida, filed a data breach notice with the Massachusetts Attorney General following the compromise of several company email accounts. The breach occurred between July 13, 2021, and November 1, 2021, when an unauthorized party gained access to certain employee email accounts. Phoenix House Florida discovered the intrusion and responded by resetting all email login credentials and engaging a third-party data security firm to investigate the incident. The investigation confirmed the unauthorized access and could not rule out that the attacker viewed or removed information from the compromised accounts. It was determined that the email accounts contained sensitive consumer data, prompting Phoenix Programs of Florida to conduct a review of the affected files to identify the specific information exposed and the individuals impacted. The compromised data included names, Social Security numbers, driver’s license numbers, dates of birth, credit/debit card numbers with expiration dates and CVV/security codes, digitized or electronic signatures, Client IDs, protected health information related to medical history, health conditions, treatments, diagnoses, and health insurance details.

The breach affected individuals who had sought treatment from Phoenix House Florida, placing their personal and medical information at risk of misuse by potential criminals. On October 19, 2022, Phoenix Programs of Florida began sending data breach notification letters to all impacted parties, informing them of the incident and outlining steps to protect against identity theft and fraud. The organization, which operates rehabilitation centers across the United States and employs over 2,700 people with annual revenue of approximately $101 million, disclosed the breach through its filing with the Massachusetts Attorney General and a notice on its website. The exposure of highly sensitive data, particularly health-related information and financial details, significantly elevated the risk of identity theft and fraud for affected consumers. No additional attacker actions, containment measures beyond credential resets, or specifics about detection methods were detailed in the available sources. The incident underscored the vulnerability of email-based systems to unauthorized access and the potential consequences for entities handling sensitive health and financial data.